MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a
SHA3-384 hash: d9690005cb7c076f5f2989eda7a3353c4d1883cc57c68ebb6ac4e0caa7c93face2796d124f08bbcf289f09fdc9169297
SHA1 hash: b32da1c27018ecd77b9bfe8705eb9a0c1cf5bce5
MD5 hash: fd5149a080f7ea1115f391843c692262
humanhash: emma-red-ten-juliet
File name:fd5149a080f7ea1115f391843c692262.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:422'400 bytes
First seen:2021-04-28 05:44:35 UTC
Last seen:2021-04-28 06:01:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7073ec0ac5b1ce29cc9db7433112f99 (1 x RedLineStealer)
ssdeep 6144:dueFL0VJfWB1ftobg3t/DywVRRMBnvl6OP39N3qBmAnzAP0HpFmdR:dueFkJfW7f2g97nV2vn39PuFHpk
Threatray 485 similar samples on MalwareBazaar
TLSH 4394BE01B1CCD032D5B315768865DFB58AAAFCA4A71509CF6AC83EB95F34ED1A73130A
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd5149a080f7ea1115f391843c692262.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-28 05:48:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be608a41-022b-4ce7-9542-934bc4addfbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144807/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.4612.25712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/700028
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a/
Threat name:
Win32.Trojan.RedLineStealer
Create hunting rule
Status:
Malicious
First seen:
2021-04-28 05:45:14 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=llmmk5zent3lbnheigsdsimitvnf3xc6ov4reqpoy6hwazpwonfa._file
Verdict:
malicious
Similar samples:
14daec5258539d3a3ad5ff1bd6ba45d0015dcf9e5ef6c5181aa0cf7b0932c8f5
RedLineStealer
45cfc2ce1e033a00c42202e16a7ba83229688d49d7776e175488c56aade45558
RedLineStealer
75353832f53e2cb6fa45f6480ef70fa5ef8a37c5797baa4aacc65e37bf4087b9
RedLineStealer
91fa1797421a3393289ae3892d128158ca3a16efd453be49e0c38d5891deefba
RedLineStealer
9fc4c09d4cb89762626fce008d9840abb128c99ec3cd162eed684c67418149d7
RedLineStealer
a21b6b2e6336efdfe470806c0d615ede9acacd44ab317ce7e4c59cfb8de1619f
RedLineStealer
a2a2de6ffa56b9dd3cd4f08f66661ba52deb04c2210afb97726c8e7cc539ff48
RedLineStealer
b9152b30240e7f0a2a14276fdacc79e6e106419d118423d48287df3c35cad766
RedLineStealer
da7c1a29438b2c219e7ef8d84b198604d663de649d4f8fca71a3f46b895eaf1c
RedLineStealer
ecac41ea859c9ba34b3f6bfbb6e4922aebf761c0655c20e2e9a965df7627410c
RedLineStealer
+ 475 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:118 infostealer
Link:
https://tria.ge/reports/210428-werwyq2pha/
Behaviour
Suspicious use of AdjustPrivilegeToken
RedLine
RedLine Payload
Malware Config
C2 Extraction:
bumblebee2021.store:80
trusmileveneers.store:80
lazerprojekt.store:80
Unpacked files
SH256 hash:
2e3aa46dc81d14f2d06cf433a6001e21e319c865a9a17399304840132f01afd0
MD5 hash:
091fa34902321dc5010e5ff877d87de7
SHA1 hash:
ee6544cff495d341ca405cd46b0534f7232a23a2
Link:
https://www.unpac.me/results/9bee819b-32a7-4de0-9c32-41901b4a9bea/
SH256 hash:
5376db69d806b5502a83df8d1a72b710f85e1cc836e4e99c28f597df579cf2e6
MD5 hash:
72265e2b34f180440c72aede18b7a2a5
SHA1 hash:
cee07fe1b8e187f2c86f416033b2d2318c18144b
Link:
https://www.unpac.me/results/9bee819b-32a7-4de0-9c32-41901b4a9bea/
SH256 hash:
1945c220b4f0526f15cdf786499596a903439986d4cad85a340c5f31f86a6e15
MD5 hash:
beb73c5f7f931fe888343a7e27a4d456
SHA1 hash:
67d873cc5301efbe4bcd41fcd45193e939dc83ad
Link:
https://www.unpac.me/results/9bee819b-32a7-4de0-9c32-41901b4a9bea/
SH256 hash:
5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a
MD5 hash:
fd5149a080f7ea1115f391843c692262
SHA1 hash:
b32da1c27018ecd77b9bfe8705eb9a0c1cf5bce5
Link:
https://www.unpac.me/results/9bee819b-32a7-4de0-9c32-41901b4a9bea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1147433/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144807/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 06:05:19 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0033] Operating System Micro-objective::Console
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0043] Process Micro-objective::Check Mutex
14) [C0042] Process Micro-objective::Create Mutex
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process
17) [C0039] Process Micro-objective::Terminate Thread